The Protection of Personal Information (POPI) Act puts South Africa’s data regulation standards on par with existing data protection laws around the world. It aims to protect personal information (PII), enforce individuals’ rights to privacy, and provide guidelines for lawfully processing sensitive information and notifying regulators and data subjects in the event of a breach.
Scope of the POPI Act
The POPI Act covers personal information, which means any information that relates to a specific person. The law notes that this isn't limited to a "natural person" (that is, a human being) but also a "juristic person", which means an independent legal entity such as a company.
The law applies to any data processor that is domiciled (legally based) in South Africa. It also applies if the data processor is outside of South Africa "but makes use of automated or non-automated means in the [country]." Although the law does allow for some exclusions (such as national security and journalism), these generally won't apply to businesses processing personal information.
Basically, it’s a code of conduct that all businesses must comply with.
How POPI protects your data
The aim of the Act is to protect consumers from harm by protecting their personal information. It aims to protect consumers from having their money and identities stolen, as well as to keep their private information private.
To do this, the Act sets out eight guidelines for when it is lawful for someone to use and process someone else’s personal information. They are:
- Accountability
- Processing limitation
- Purpose specification
- Further processing limitation
- Information quality
- Openness
- Security safeguards
- Data subject participation
What counts as ‘personal information’?
In terms of the Act, personal information is data that can be used to identify a person. It is defined as “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.” This information about a person includes, but is not limited to:
- race
- gender
- pregnancy
- marital status
- national, ethnic, or social origin
- colour
- age
- religion, beliefs, or culture
- language
- educational, medical, financial, criminal, or employment history
- ID number
- email address
- physical address
- telephone number
- location
- biometric information
So, will POPI affect marketers?
The answer is yes, definitely. POPI does not prohibit direct marketing, it merely regulates the way in which information should be received from data subjects. With POPI, direct marketing will have to become ‘opt-in’, where consumers will have to actively agree to receive promotional messaging. It’s not only direct marketing that will be affected by the POPI Act—any form of marketing that involves the processing of personal information will be, too.
So can you keep sending marketing emails to your existing subscribers—people added to your lists before POPI takes full effect? Yes, you can still send emails to these contacts! There is no explicit need for obtaining new consent, but as of 1 July 2021, the Act states that all data subjects need to have provided consent after the first communication, and you will need to stop communicating with them if this consent is not obtained. In short, for new prospects, opt-in consent is required along with the option to opt out at any time, and for existing customers, an opt-out option should be provided.
How should you get consent?
Marketers can no longer send emails or marketing communication to anyone who has only filled in a web enquiry form or a pop-up, as contacts will now have to explicitly permit you to send them marketing materials. It is, therefore, essential that any business using direct marketing ensures that they clearly and unambiguously inform the data subjects when requesting personal information and what the purpose of requesting the information is.
Marketers must use opt-ins in all forms and when new users sign up. It is recommended to specifically disclose what the users will receive from you after agreeing to your Terms and Conditions. It is also crucial to include a link to your privacy policy on all web sign-up forms. This helps subscribers understand what they are consenting to and how to opt out.
Penalties for non-compliance
Marketers who do not comply with the POPI Act can face both civil and criminal charges. Fines can go up to R10 million and, in extreme cases, there is also the possibility of being sentenced to up to 10 years in jail.
To POPI-proof your marketing, keep these four basic tips in mind:
- Respect the consumer’s choice to opt-in or out.
- Be clear that you are requesting consent for a specific purpose, such as contacting them about insurance policies.
- Give consumers a clear way to express their choice by giving them the option to click a button or mark a checkbox.
- Keep records of when and how consent was obtained and exactly what it covers.
Is POPI the same as GDPR?
Though there are several key differences, the POPI Act is very similar to the GDPR, sharing the same principles including transparency, accountability, security, data minimisation, and the rights of data subjects. Here’s a comparison table of a few key attributes:
| POPI ACT | GDPR |
Territorial Scope | Restricted to organizations that are either based or process personal data in South Africa. | Global: all organizations offering goods or services to individuals in the EU, or monitoring the behaviour of individuals in the EU. |
Data Controller | Mandatory role, known as Information Officer, for all organisations under POPI Act.
POPIA does not require a representative based within South Africa. | Mandatory role of Data Protection Officer for public-sector bodies and companies that process personal data at scale.
Data controllers based outside the EU and involved in certain forms of processing, with exceptions based on the scale of processing and type of data, are obliged to designate a representative based within the EU in writing. |
Breach reporting deadlines | As soon as reasonably possible | Within 72 hours |
Penalties | R10 million fine or up to 10 years’ imprisonment | 4% of global annual revenue or €20 million, whichever is higher |
Data Transfer | Cross-border transfers are permitted to a third party that is subject to legal or corporate data protection rules. | International transfers are only permitted to specific countries with legal frameworks that provide adequate protection of personal data. |
Conclusion
Consumer privacy is extremely important, especially when it comes to gaining client trust. POPI tries to prevent any misuse of personal information by setting strict guidelines on how to obtain the information and, in the process, balancing the interest of businesses that use direct marketing and the data subjects’ right to privacy.
Zoho has adopted measures to ensure the security of the data that it processes. Zoho is certified with ISO 27701 (Privacy Information Management System, PIMS) and other industry-accepted standards to help you ensure your data is secure and compliant. Our privacy policy tells you what information we collect from you, what we do with it, who can access it, and what you can do about it. To understand how our existing PIMS is in compliance with the POPI Act, please refer to this article. If you need further information on compliance with specific obligations, reach out to mea-solutions@zohocorp.com. You can also check out our FAQ to find answers to the most frequently asked questions.
Comments